New Guidance for Protecting Student Health Care Information
On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (DOE) provided new joint guidance on the release of certain student records. In summary, this HHS/DOE release updated existing guidance from November 2008 on the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to student health records.
FERPA protects student privacy of “education records,” which may include student health records if maintained by an educational institution. HIPAA protects the confidentiality of protected health information (PHI) and applies only to health plans, health care clearinghouses, and health care providers that transmit PHI electronically in connection with certain transactions. The 2008 guidance was intended to help schools understand how FERPA and HIPAA applied to student education and health care records.
A press release for the 2019 update states:
“The guidance, which was first issued in November 2008, clarifies for school administrators, health care professionals, families, and others how FERPA and HIPAA apply to education and health records maintained about students. The revised guidance includes additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule.”
HIPAA does not generally apply to schools because health information on students, if collected by the school, would be classified as educational records under FERPA. A school would thus look to FERPA to make decisions about what student health care records can be released, to whom, and what permissions are required prior to the release.
Although HIPAA does not often apply to school records, it does require that consent be obtained before the sharing of health information for purposes other than payment, treatment, or health care operations. So if a school has student PHI (for instance, if it has an in-house health center or nurse for students), it must consider whether HIPAA restrictions apply to the release of that student information. By way of example, the 2008 guidance explained that in emergencies and situations where an individual’s health is at risk, educational institutions may provide student health information to certain persons – for instance, to law enforcement, family, or caregivers who might be able to prevent the risk of harm.
The 2019 update details situations where these types of “emergency” disclosures are permitted by educational institutions – specifically, where sharing of PHI might be necessary to prevent or lessen a “serious and imminent threat to the health or safety of the individual, another person, or the public.”
For questions or more information on compliance with student privacy laws, please call Jeffrey Maddux at 423-757-0296 or Rosemarie Hill at 423-757-0242.